The GDPR for English law trusts and estates
We live in an increasingly regulated world and data protection is an area of more extensive compliance since the introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018.
Family offices across Europe will therefore be familiar with the GDPR as part of their compliance and administration responsibilities, both in running the family office itself and looking after a family’s entities and affairs.
While the regulation is (generally) well understood in the context of businesses, its scope and concepts have been less clear in relation to private, family arrangements such as trusts and estates. In England and Wales, some of the rules have recently been clarified in their application to trustees and executors or administrators of deceased estates (PRs). This article will examine that recent guidance and recap the basic requirements of GDPR in the context of non-charitable English law trusts and estates (and references to trustees include PRs unless otherwise stated).
What is the GDPR?
The GDPR is a strict regulation designed to update and harmonise data protection law across the EU. It has transformed the basis on which personal data can be ‘processed’ (collected, shared, and used) by third parties. The Data Protection Act 2018 (DPA) aligns UK law with the GDPR and the regime is expected to remain in force in the UK after the end of the Brexit transition period.
The GDPR was developed in response to advances in technology and many of the rules are aimed at commercial organisations. It imposes a greater emphasis on the need for consent in certain circumstances; this is a requirement before organisations can send marketing emails, for example. Yet data protection applies to all forms of information, whether digital or held in paper form. It also applies to trustees and PRs despite the fact that the information they hold about beneficiaries will often have been provided without their knowledge or consent. Unless they fall within the exemption mentioned below, GDPR imposes increased obligations on trustees and PRs in relation to the personal ‘data’ such as names, addresses, or other details they hold about trust and estate beneficiaries and anyone else who is a natural, living person (who, for these purposes, is called a ‘data subject’).
In January 2020, the Society of Trust and Estate Practitioners (STEP) published an approach for PRs and trustees of non-charitable trusts under English law. This followed detailed conversations with the UK’s data protection body, the Information Commissioner’s Office (ICO), and the STEP ‘guidance’ was updated in May 2020 with the ICO’s response. While the ICO has not officially endorsed STEP’s interpretation, it has given limited support to their views and, importantly, has not disputed their analysis.
Exemption from the GDPR
There are few exemptions from the GDPR but it does not apply to a natural person who processes personal data in the course of a “purely personal or household activity”. Clearly, this exemption cannot apply to corporate trustees but the ICO has confirmed that individuals who are not acting in a professional capacity and are not paid for their services are “likely” to fall within the exemption, even though they are fiduciaries. Claiming expenses does not count as payment for these purposes. According to STEP, the exemption should therefore take unpaid lay trustees and PRs outside the regulations and should also exempt professionals acting without pay outside their firms (eg, if acting for family and friends) but, as the ICO say, “each situation should be considered in light of the individual circumstances.” Where there is a mixture of lay and paid professional trustees, all of the GDPR responsibilities fall on the professionals.
Trustees and PRs who are not exempt from the GDPR are likely to be data ‘controllers’ (ie, they determine the purposes and means of the processing of personal data) and must comply with its principles. These include broadly that personal data must be collected only for specified, legitimate purposes and that it must be processed in a lawful, fair, transparent, accurate, and secure manner, for no longer than is necessary in the circumstances. Personal data must be adequate, relevant, and limited to what is necessary for the purposes of the processing, and data controllers must be responsible for, and be able to demonstrate compliance with, all the principles.
The requirements for transparency and accountability mean trustees may now need to address the more proactive data protection responsibilities required by GDPR compared with the previous regime. This is something with which a family office may be asked to assist.
Lawful grounds for processing
A data controller must only process personal data on the basis of one or more of the specified legal grounds. For non-sensitive data, these are set out in Article 6 of the GDPR.
Consent of a beneficiary is unlikely to be a ground used by trustees and PRs, as most of their information will have been provided by the settlor or testator (initially at least). What’s more, if the data subject’s consent is relied upon as the legal basis for processing, data controllers should be aware that additional obligations apply and, most importantly, the consent may be withdrawn so that the processing must cease.
Most trustees and PRs will rely on Article 6(1)(c) – they process non-sensitive personal data on the basis that it is necessary for compliance with their legal obligations, ie to fulfil their duties as trustees/PRs and to comply with other areas of the law. Trustees’ duties require them to act in the best interests of their beneficiaries and carry out the terms of the trust so they will need, at the very least, contact details for the beneficiaries. More extensive information may be required by law – in order to comply with money-laundering regulations, for example, trustees must sometimes gather more personal data than they might otherwise need (national insurance numbers, etc).
Another ground that may be in point for trustees is in Article 6(1)(f) of the GDPR – the processing is necessary for the legitimate interests of the data controller or a third party, where these are not overridden by the interests or fundamental rights and freedoms of the data subject. However, the ICO state that reliance on this ground may involve more work for a data controller in balancing the parties’ interests, and this ‘balancing act’ could also provide scope for disagreement.
Article 9 of the GDPR deals with special category (sensitive) data, for which separate legal grounds apply.
Processing certain sensitive information about a person’s race, politics, religion, genetic and biometric data, health, or sexual orientation is prohibited under the GDPR unless the individual has given consent or it is necessary for another lawful purpose. This could be problematic for trustees and PRs who may have access to this type of sensitive data from letters of wishes, trust, and testamentary documents or from other individuals in the context of considering how the trust fund or estate should be distributed. Trustees and PRs must determine and document their legal basis for processing this type of information before the processing begins.
Obtaining the express consent of the individual concerned may be inappropriate and would create difficulties if consent was refused or withdrawn, as noted above.
Trustees and PRs may be able to argue that it is in the public interest to see that the wishes of a settlor or testator are followed as closely as possible or, as STEP recommends, rely on the ground that the processing is necessary to establish beneficiary rights. This is found in Article 9(2)(f) of the GDPR which refers to processing necessary for “the establishment, exercise or defence of legal claims”. ICO guidance notes that ‘legal claims’ in this context “is not limited to current legal proceedings and includes processing necessary for … obtaining legal advice or establishing, exercising or defending legal rights in any other way”. This is backed up by pre-existing case law, which the ICO has confirmed could still be relevant authority under the GDPR.
In any event, trustees and PRs should tread very carefully with how and why they handle any sensitive information and also be mindful of the circumstances in which they may be regarded as processing this type of data. Merely knowing about a person’s domestic life will not amount to holding information on their sexual orientation but if trustees consider, for example, the same-sex nature of a relationship to be relevant to their decisions, that will amount to processing special category data.
In order to fulfil their obligations of transparency, trustees, and PRs who are data controllers should consider the requirements to proactively provide their beneficiaries and any other data subjects with a privacy notice as soon as possible unless one of the grounds not to do so applies. A ‘privacy notice’ is not defined in the GDPR itself but is the recognised method by which data controllers provide data subjects with the information required by arts 13 and 14 of the GDPR.
Privacy notices cover matters such as the source and nature of the information held (where the data has been provided by someone other than the individual concerned) and, in all cases, how it will be used and shared and the person’s rights in relation to it, for example, to request access to it, to rectify mistakes and their rights to erasure, and making complaints to the ICO. Where privacy notices are required, they should be written in clear and concise language, especially when addressed to a child. (Note: minors have the same rights as adults to be informed about the processing of their personal data, but it should be acceptable to issue privacy notices to a person with parental responsibility instead of directly to the child.)
Article 13 specifies the information to be provided when data is collected directly from a data subject. A privacy notice in these circumstances must be given at the same time as the data is obtained. The only exception is where the person already has the information. STEP note that compliance with this requirement should be uncontroversial because a beneficiary with whom the trustees are in contact will be aware of their position and why the trustees need the information collected. Nevertheless, trustees need to be alert to the requirement and action accordingly, not only in respect of data collected from beneficiaries but any other person (such as other people who are beneficial owners of a trust for money-laundering purposes).
Compliance with Article 14 of the GDPR has the potential to be more problematic for trustees and PRs. This requires information to be provided, generally within one month, to a data subject whose personal information has been obtained from someone else. Beneficiaries’ information will often have been provided by the settlor or testator and the beneficiary himself may be unaware of the trust or estate. Sending a privacy notice in these circumstances could cause confusion (false hope of benefit for remote beneficiaries), disharmony, or disincentivise younger beneficiaries from making their own way in life.
Fortunately, there are a number of exceptions to providing a privacy notice under Article 14 (eg, if this would be impossible or involve disproportionate effort, or it would seriously impair the objectives of the processing or breach confidentiality obligations). However, in the absence of guidance, the extent of the transparency obligation, and the exceptions to it have not been entirely clear in relation to trustees and PRs.
The approach recommended by STEP is that trustees and PRs should always send a privacy notice if, and at the same time, they collect the information directly from a beneficiary or other data subject. However, trustees may not need to send a privacy notice to beneficiaries where the information has been provided by someone else (such as the settlor) because there is an exemption (in Article 14(5)(c)) where domestic law provides appropriate measures to protect data subjects’ legitimate interests. STEP’s view is that trustees must already comply with beneficiaries’ rights to information under English law and these provide appropriate measures to protect their interests. Where Article 14(5)(c) does not apply for any reason, trustees may be able to dispense with privacy notices under Article 14(5)(b), on the grounds of ‘disproportionate effort’ or on the basis that doing so would seriously impair the objectives of the trust, for example in relation to beneficiaries who are unlikely ever to benefit from the trust.
The STEP guidance is helpful since it may not be in the interests of the beneficiaries as a whole or could undermine the administration of the trust or estate if a privacy notice must be sent to every single beneficiary or potential beneficiary, as a matter of course. However, it remains to be seen how useful this approach will be since, in some cases, trustees are required by entities such as their banks to obtain beneficial ownership information (some of which can only be obtained from the individual concerned) from all of the trust or estate’s beneficiaries and other beneficial owners for money-laundering purposes. If trustees need to acquire that personal data directly from the subjects themselves, they are then back in the territory of Article 13, to which the exceptions described above do not apply.
In any event, GDPR requires accountability and so trustees and PRs should consider their position and be able to defend whatever they decide to do. The ICO has refrained from commenting on STEP’s approach but has confirmed that reliance on an exemption must be justifiable: “There is no ‘default position’ and each decision should be justified and in line with the accountability principle”.
Access to information
GDPR rules enable data subjects to request access to their personal information by making a so-called ‘subject access request’. There have been concerns that this may cut across trustees’ rights to withhold certain information under trust law principles. However, the UK government has confirmed that: “the GDPR directly protects against disclosure where it would adversely affect the rights and freedoms of others, including any rights or freedoms of trustees”. The government’s position appears to be that disclosure can be refused in relation to information that would be protected under trust law, such as trustee deliberations or reasons for their decisions.
Nevertheless, beneficiaries can ask the trustees what information is held about them, the purposes and length of time for which it will be held, other recipients to whom the information has been disclosed, and the source of this information. Unless the information is exempt from disclosure, copies of the data must be provided free of charge upon request and within one month, but there is also a right to refuse or to charge if the request is “manifestly unfounded or excessive”. Trustees and PRs faced with an access request should take care to redact personal information about others so as not to adversely affect their rights.
Sharing personal data
Great care is required when a data controller shares personal data with others and especially when data is transferred to anyone outside the EEA (a ‘third country’) or to an international organisation (see further below).
Trustees should be mindful of the GDPR principles of integrity, confidentiality, and purpose limitation in relation to their processing activities and should only share personal data where there is a legitimate reason to do so.
In practice, data controllers should review the nature of their relationship with any third party with whom they share data and establish whether the recipient is a data controller in their own right, a joint controller with the trustees or simply processes personal data on their behalf (a data ‘processor’). Professional advisers of the trustees are likely to be data controllers in their own right, or possibly joint controllers with the trustees. A family office providing services to trustees may be in either of those categories, or could be a data processor.
Where joint controllers are involved, they need to establish their respective roles and responsibilities as regards the GDPR (particularly with regard to sending privacy notices), and the essence of these arrangements should be communicated to data subjects.
The engagement of data processors is only permitted subject to the processor providing sufficient guarantees to implement appropriate measures to meet GDPR requirements and to ensure the protection of data subjects. Processing by a processor must be governed by a contract or relevant law in accordance with various requirements set out in Article 28 of the GDPR.
Transfers of personal data to third countries or international organisations are also prohibited unless data controllers comply with the requirements of Chapter V of the GDPR. Such transfers are permitted if the relevant authority (currently the European Commission) has confirmed the recipient country has an adequate level of protection, or if the data controller ensures appropriate safeguards are met and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In the absence of an adequacy provision or appropriate safeguards, transfers to third countries or international organisations are also permitted where a derogation such as the following applies:
- with the explicit, informed consent of the data subject;
- where the transfer is necessary for the performance of a contract;
- to establish, exercise, or defend legal claims; or
- for the controller’s compelling legitimate interests which are not overridden by the data subject’s interests.
Data security and breaches
Data controllers must implement appropriate measures to safeguard the personal information they process. This could include secure filing systems, or using password protection, encryption or robust firewall technology for information held digitally. It might also include putting a disaster recovery policy in place in the event of loss of information through a physical or technical incident.
Any data breach (such as unauthorised disclosure, loss, alteration, or destruction), must be reported to the ICO in a prescribed form, without delay, and in any event within 72 hours of becoming aware of the breach. If a breach is likely to result in a high risk to the rights and freedoms of the data subjects, they must also be informed without undue delay.
There is a lot that trustees and PRs will need to do to ensure that they are GDPR compliant. Some of the action points they may wish to consider include:
- conducting an audit of what data is held and why;
- who it is shared with;
- how long it will be kept;
- arrangements for keeping it secure and up to date;
- procedures to identify and report breaches as well as complying with subject access requests;
- reviewing contracts with others to whom the information is disclosed to ensure they too are GDPR compliant;
- taking care when sending information to a third party and implementing further checks and safeguards when sending to those outside the EEA;
- registering with the ICO;
- developing a policy and complying with the record-keeping requirements of their processing activities, where required; and
- issuing privacy notices to relevant beneficiaries and other data subjects.
GDPR enforcement and sanctions
The ICO is responsible for monitoring compliance with the GDPR and has civil enforcement powers under Part 6 of the DPA. The ICO’s investigative powers are exercisable through the issue of notices, such as information, enforcement, and penalty notices. The ICO has powers of entry and inspection and can levy penalties up to a maximum of €20 million or 4% of an undertaking’s annual worldwide turnover. If fines are to be imposed on parties that are not an ‘undertaking’ as such, their economic situation should be taken into account and, in the context of a trust or estate, ‘turnover’ is understood to mean the total annual income or gains of the trust or estate. In all cases, fines should be effective, dissuasive, and proportionate, with due regard to matters such as the gravity and duration of the infringement, the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and level of any damage suffered by them.
There are also a number of criminal offences under the DPA, all punishable by a fine. These include matters such as obstructing ICO investigations, making false statements, destroying or falsifying information or documents, and concealing information to prevent disclosure to a data subject exercising a data access request.
To date, no civil fines or criminal prosecutions are known to have been pursued against trustees or PRs but the potential consequences of non-compliance cannot be ignored and so trustees and PRs should do everything they can to try to adhere to the GDPR rules.
This article does not attempt to answer every question about the GDPR and its application to trusts and estates. Indeed, the recent STEP guidance doesn’t cover every aspect either and it is understood that further guidance may be developed in due course. The STEP guidance does highlight that GDPR is an important aspect of compliance that trustees and PRs should now address if they have not done so to date.
This article was first published in the International Family Offices Journal in December 2020.